Providing a graphical representation of anomalous events

ABSTRACT

One or more event logs are received. The one or more event logs are analyzed using a plurality of models to detect one or more anomalous events. A graphical representation of risk entities associated with at least one of the one or more detected anomalous events is provided. A visual representation of automatically detected relationships between the risk entities associated with the at least one of the one or more detected anomalous events is provided in the graphical representation. Indications of measures of anomaly associated with detected anomalous events are provided for the associated risk entities.

BACKGROUND OF THE INVENTION

A primary system maintains an event log that stores a plurality of entries for a plurality of events. The event log may be updated when an object (e.g., file or directory) is accessed, modified, deleted, or created. The event log may also be updated for other events associated with the primary system, such as when a user logged in, the number of failed login attempts associated with a client device, each time a software update was performed, each time a password was changed, etc. A user may desire to determine whether there has been any anomalous activity at the primary system. However, the number of events stored in the event log may be too voluminous to determine whether there has been any anomalous activity in a timely manner.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.

FIG. 1 is a block diagram illustrating a system for providing a graphical representation of anomalous events in accordance with some embodiments.

FIG. 2 is a flow diagram illustrating a process for providing evidence of anomalous behavior in accordance with some embodiments.

FIG. 3 is a flow diagram illustrating a process for analyzing an event log in accordance with some embodiments.

FIG. 4 is a flow diagram illustrating a process for analyzing an event log in accordance with some embodiments.

FIG. 5 is a flow diagram illustrating a process of training a model in accordance with some embodiments.

FIGS. 6A-6N are examples of a graphical user interface in accordance with some embodiments.

FIG. 7A is an example of a graphical user interface in accordance with some embodiments.

FIG. 7B is an example of a graphical user interface in accordance with some embodiments.

DETAILED DESCRIPTION

Techniques to provide a graphical representation of anomalous events are described herein. One or more event logs are received and stored at an event analysis system. The one or more event logs include a plurality of entries. Each entry corresponds to an event. An entry may identify an event type and one or more attributes associated with the event. Examples of event type include a file deletion, a file access, a file creation, a file move, a directory deletion, a directory creation, a directory move, a system login grant, a system login denial, a user being added, a user being deleted, a file being downloaded, a user password change, change of state, change of status, etc. Examples of event attributes include a timestamp, a sequence number, a user (actor) to which the event is associated, an object with which the event is associated, an internet protocol address, a location from which the event occurred, etc. Examples of objects include files, databases, virtual machines, applications, containers, volumes, etc.

The one or more event logs are analyzed by providing each entry as input to a plurality of models that are configured to detect different types of anomalous behavior. For example, a model may be configured to determine whether an event or a group of events are indicative of an insider attack, a ransomware attack, a brute force attack, wide access (e.g., log in attempts from different locations), a sensitive data leak, a geo fencing breach, or a combination thereof. In some embodiments, the output of one or more models is input to a model (e.g., a layered model).

Based on the one or more event log entries, each of the models is configured to output a corresponding confidence level that indicates whether the one or more events corresponding to the one or more event log entries are anomalous. An event by itself or a combination of events may be indicative of anomalous behavior. A model may determine that an event is anomalous in the event a confidence level associated with the event is greater than a confidence level threshold. In some embodiments, the confidence level is based on historical events associated with a particular user. In some embodiments, the confidence level is based on historical events associated with a system that provided the event log. In some embodiments, the confidence level is based on historical programmatically generated events associated with an application. In some embodiments, the confidence level is based on a combination of events (e.g., the confidence level(s) associated with one or more other events may influence the confidence level of an event, a normal event may be determined to be an anomalous event if the event is a threshold event within a time frame. The threshold event is determined to be an anomalous event. The other events may or may not be determined to be anomalous events).

Each event is associated with at least one risk entity, such as location, actor, model that determined the event to be anomalous, an object that the actor accessed or attempted to access, etc. The relationship between the risk entities associated with an event are determined. The relationship between different risk entities associated with different events are determined. For example, the event analysis system determines whether any of the events share risk entities.

In some embodiments, the one or more event logs are provided to a third party system that is configured to analyze the one or more event logs for one or more anomalous events. The third party system may provide the analysis to the event analysis system. A graphical representation of risk entities associated with one or more detected anomalous events may be generated based on the received analysis.

A graphical representation of risk entities associated with one or more detected anomalous events is provided to a client device. This enables a user associated with the client device to determine potential risk to a system without having to analyze each specific event log. The graphical representation is a visual representation of automatically detected relationships between the risk entities. The graphical representation is comprised of a first plurality of graphical user interface items corresponding to the risk entities associated with at least one of the one or more detected anomalous events.

For example, a first graphical user interface item corresponding to a location associated with a first event may be linked to a second graphical user interface item corresponding to an actor associated with the first event, which is linked to a third graphical user interface item corresponding to a model that determined the first event to be anomalous, which is linked to a fourth graphical user interface item corresponding to an object that the actor associated with the first event accessed or attempted to access. In some embodiments, the relationship is depicted for anomalous events that occurred during a particular time frame. In some embodiments, the relationship is depicted for all events that occurred during the particular time frame. The particular time frame may be specified via the client device.

The event analysis system receives a selection of a graphical user interface item corresponding to one of the risk entities. The one or more event logs are re-analyzed based on the selected graphical user interface item to identify, if any, one or more other events related to the selected graphical user interface item. This analysis may enable a user associated with a client system to determine whether an event associated with the selected graphical user interface item is an isolated event or part of a group of events that are indicative of anomalous behavior. The one or more event logs may include additional event log(s) that were received since the previous analysis. In some embodiments, the event analysis system re-analyzes the one or more event logs for one or more other events that occurred in the same time frame as the first plurality of graphical user interface items. In some embodiments, the event analysis system analyzes the one or more event logs for one or more other events that occurred outside the time frame associated with the first plurality of graphical user interface items. In some embodiments, the event analysis system re-analyzes the one or more event logs for one or more other events that occurred in the same time frame as the first plurality of graphical user interface items and analyzes the one or more event logs for one or more other events that occurred outside the time frame associated with the first plurality of graphical user interface items.

The event log entries associated with the one or more identified events are provided as input to each of the plurality of models. Based on the one or more event log entries, each of the models is configured to output a confidence level that indicates whether an identified event is anomalous. An identified event is determined to be anomalous in the event its corresponding confidence level is greater than a confidence level threshold. In some embodiments, a group of events is determined to be anomalous (e.g., an anomalous incident) in the event a model outputs a confidence level that is greater than a confidence level threshold for the group of events. For example, the model may count the number of times that a particular type of event occurs within a particular period of time. The model may determine that a group of events of a particular type is anomalous after the number of occurrences of the particular type of event is greater than an event threshold. The events included in the group may be from the same event log and/or one or more other event logs.

Each anomalous event is associated with at least one of risk entity, such as location, actor, model that determined the event to be anomalous, an object that the actor accessed or attempted to access, etc. The relationships between the risk entities associated with the anomalous event are determined. The relationships between different entities associated with different anomalous events are determined. For example, the event analysis system determines whether any of the anomalous events share risk entities.

The graphical representation of risk entities associated with one or more detected anomalous events is updated. The updated graphical representation is comprised of a second plurality of graphical user interface items. Similar to the first plurality of graphical user items, a graphical user interface item may correspond to a risk entity, such as a location, an actor, a model that determined an event to be anomalous, or an object that the actor accessed or attempted to access. The graphical representation may include indications of a measure of an anomaly for an event that are based on a confidence level outputted by one of the models. The measure of anomaly is for the particular period of time associated with the second plurality of graphical user interface items. The measure of anomaly for an event is reflected in risk entities associated with the event. The reflected measure of anomaly may be color-coded. This indicates the seriousness of a detected event. The graphical representation depicts the relationship between the risk entity corresponding to the selected graphical user interface item and the plurality of risk entities associated with one or more anomalous events.

FIG. 1 is a block diagram illustrating a system for providing a graphical representation of anomalous events in accordance with some embodiments. In the example shown, system 100 includes primary systems 102 a . . . 102 n, event analysis system 112, and one or more client devices 122.

Primary systems 102 a . . . 102 n may be a server, a virtual machine running on a computing device, a database running on a computing device, or any computing device that is capable of generating an event log. Although FIG. 1 depicts two primary systems, system 100 may include 1:n primary systems. In some embodiments, primary systems 102 a . . . 102 n are associated with a single tenant. A tenant may correspond to a user, an enterprise, a government, a company, an organization, etc. In some embodiments, primary systems 102 a . . . 102 n are associated with a plurality of different tenants. In some embodiments, event analysis system 112 is coupled to a plurality of different tenants, each tenant being associated with one or more corresponding primary systems.

Primary systems 102 a . . . 102 n include one or more corresponding event logs 104 a . . . 104 n that are each comprised of a plurality of entries. An event log may be generated by an application (e.g., collaboration application, productivity application, database application, etc.) hosted by the primary system. In some embodiments, an event log is generated by an operating system, firmware, a firewall, etc. Each entry of an event log identifies an event type and one or more attributes associated with the event. Examples of event type include a file deletion, a file access, a file creation, a file move, a directory deletion, a directory creation, a directory move, a system login grant, a system login denial, a user being added, a user being deleted, a file being downloaded, a user password change, etc. Examples of event attributes include a timestamp, a sequence number, a user to which the event is associated, an object with which the event is associated, an internet protocol address, a location from which the event occurred, etc. An object may be included in a data pool. A data pool is a description of one or more objects to be included in the data pool when one or more data management services (e.g., backup, restore, migration, replication, tiering, disaster recovery, etc.) are performed.

Event analysis system 112 is coupled to primary systems 102 a . . . 102 n. Event analysis system 112 may be a server, a computing cluster comprised of a plurality of computing nodes, a virtual machine running on a computing device (e.g., a computer), a containerized application running on one or more computing devices, a cloud computing device, etc.

Event analysis system 112 includes event log reader 111. In some embodiments, event log reader 111 sends a corresponding request to primary systems 102 a . . . 102 n for an event log. In response, the primary systems 102 a . . . 102 n provide the requested event log. In some embodiments, primary systems 102 a . . . 102 n send (continually or periodically) a corresponding set of one or more events included in a corresponding event log 104 a . . . 104 n to event log reader 111. In some embodiments, event log reader 111 remotely accesses an event log stored on primary systems 102 a . . . 102 n.

Event log reader 111 stores the obtained event logs in event log store 113. Event log store 113 may be stored in a memory or a storage device associated with event analysis system 112. Event log store 113 is coupled to anomalous event detector 115. Anomalous event detector 115 is comprised of a plurality of models. Anomalous event detector 115 obtains the one or more entries corresponding to one or more events included in the event logs as input to the plurality of models.

The plurality of models may be configured to perform analysis according to a schedule (e.g., daily). In some embodiments, a first sub-set of the models is configured to perform analysis according to a first schedule (e.g., daily) and a second sub-set of the models is configured to perform analysis according to a second schedule (e.g., weekly). Each of the models is configured to determine whether an event is anomalous. The anomalous event by itself or a group of events may be indicative of anomalous behavior. A model may be configured to analyze event log entries that correspond to events that occurred since a last time the model analyzed event log entries. In some embodiments, a model is streamed log entries and analyzes the log entries as they are received. In some embodiments, event analysis system 112 provides to external device 122 a notification of an anomalous event being detected. In response, event analysis system 112 may receive from external device 122 an indication of a time frame in which one or more models analyze analyzes event log events for anomalous events.

The plurality of models are configured to detect different types of anomalous behavior. For example, a model may be configured to determine whether an event or a group of events are indicative of an insider attack, a ransomware attack, a brute force attack, wide access (e.g., log in attempts from different locations), a sensitive data leak, a geo fencing breach, or a combination thereof. A model is configured to detect specific types of anomalous events. For example, a first model configured to detect insider attack events may determine that a first event is indicative of an insider attack and a second model configured to detect ransomware events may determine that a second event is indicative of a ransomware attack. The second model may determine that the first event is not indicative of a ransomware attack.

A model may be a rules-based model, a machine learning model, a deterministic-based model, a heuristic-based model, etc. Based on the one or more event log entries obtained from event log store 113, each of the models is configured to output a corresponding confidence level that indicates whether one or more events corresponding to the one or more event log entries are anomalous. A model may determine that an event is an anomalous event in the event a confidence level outputted by the model is greater than a confidence level threshold. In some embodiments, the confidence level is based on historical events associated with a particular user. In some embodiments, the confidence level is based on historical events associated with a system that provided the event log. In some embodiments, the confidence level is based on historical programmatic events associated with an application. In some embodiments, the confidence level is based on a combination of events.

In some embodiments, none of the plurality of models' output determine any of the events to be anomalous. In some embodiments, one of the plurality of models outputs a corresponding confidence level that indicates one or more events are anomalous. In some embodiments, at least two of the plurality of models output a corresponding confidence level that indicates one or more events are anomalous.

After the plurality of models have executed, event analysis system 112 is configured to generate a graphical representation of risk entities associated with at least one of the one or more anomalous events. Examples of risk entities include a location, an actor, a model associated with the event, or an object that the actor accessed or attempted to access. The graphical representation is comprised of a first plurality of graphical user interface items corresponding to the risk entities associated with at least one of the one or more anomalous events. The graphical representation is a visual representation of automatically detected relationships between the risk entities. For example, a first graphical user interface item corresponding to a location may be linked to a second graphical user interface item corresponding to an actor, which is linked to a third graphical user interface item corresponding to a model associated with the anomalous event, which is linked to an object that the actor accessed or attempted to access. In some embodiments, the relationship is depicted for an event or a group of events that occurred during the particular time frame and having a confidence level greater than a confidence level threshold. In some embodiments, the relationship is depicted for all events or a group of events that occurred during the particular time frame.

The graphical representation may include indications of a measure of anomaly for an event, which may be based on a confidence level outputted by one of the models. The measure of anomaly for an event is reflected in risk entities associated with the event. The reflected measure of anomaly may be color-coded. For example, a graphical user interface item corresponding to an entity associated with a high-risk event may be in red, a graphical user interface item corresponding to an entity associated with a medium-risk event may be in orange, and a graphical user interface item corresponding to an entity associated with a low-risk event may be in green.

The measure of anomaly for an event may be based on a confidence level outputted by one of the models. The measure of anomaly for an event is reflected in risk entities associated with the event. A risk entity may be associated with a high risk event in the event a confidence level of an event associated with the risk entity is greater than a first risk threshold. A risk entity may be associated with a medium risk event in the event a confidence level of an event associated with the risk entity is less than or equal to the first risk threshold and greater than a second risk threshold. A risk entity may be associated with a low risk event in the event a confidence level of an event associated with the risk entity is less than or equal to the second risk threshold and greater than a risk lower limit. An event is determined to be anomalous in the event the confidence level is at least greater than the risk lower limit.

Event analysis system 112 is configured to provide the graphical representation to one or more client devices 122 via graphical user interface 117. A client device may be a computer, a desktop, a laptop, a tablet, a server, a smart device, etc. Event analysis system 112 is configured to receive one or more inputs from the one or more client devices 122 via graphical user interface 117. In some embodiments, an input causes the graphical representation to be shared with another user. Once shared, the other user may collaborate on the graphical representation via graphical user interface 117. In some embodiments, an input enables a chat window to be associated with graphical user interface 117. In some embodiments, an input enables a comment to be associated with a graphical user interface item. In some embodiments, an input enables a graphical user interface item to be ignored. In some embodiments, an input causes a report of the detected anomalous behavior to be generated.

In some embodiments, an input selects one or more of the graphical user interface items. In response to the selection of the graphical user interface item(s), anomalous event detector 115 is configured to determine one or more events associated with the selected graphical user interface item(s) that may be indicative of anomalous behavior. Anomalous event detector 115 is configured to re-analyze the one or more event logs stored in event log store 113 to identify one or more events associated with the selected graphical user interface item(s).

For example, a graphical user interface item corresponding to a location may be selected. In response to the selection, anomalous event detector 115 re-analyzes one or more event logs stored in event log store 113 to identify, if any, one or more other events associated with the location.

In another example, a graphical user interface item corresponding to an actor may be selected. In response to the selection, anomalous event detector 115 re-analyzes one or more event logs stored in event log store 113 to identify, if any, one or more other events associated with the actor.

In another example, a graphical user interface item corresponding to a model may be selected. In response to the selection, anomalous event detector 115 re-analyzes one or more event logs stored in event log store 113 to identify, if any, one or more other events associated with the model.

In another example, a graphical user interface item corresponding to an object that the actor accessed or attempted to access may be selected. In response to the selection, anomalous event detector 115 re-analyzes one or more event logs stored in event log store 113 to identify, if any, one or more other events associated with the object corresponding to the selected graphical user interface item.

In some embodiments, anomalous event detector 115 re-analyzes one or more event logs stored in event log store 113 for one or more events that occurred in the same time frame as the first plurality of graphical user interface items. In some embodiments, anomalous event detector 115 analyzes event log store 113 for one or more events that occurred outside the time frame associated with the first plurality of graphical user interface items. In some embodiments, anomalous event detector 115 re-analyzes event log store 113 for one or more events that occurred in the same time frame as the first plurality of graphical user interface items and for one or more events that occurred outside the time frame associated with the first plurality of graphical user interface items.

An individual identified event or a combination of identified events are provided as input to the plurality of models associated with anomalous event detector 115. Each of the models is configured to output a confidence level that indicates whether an identified event or a combination of identified events are indicative of anomalous behavior. After the plurality of models have executed, event analysis system 112 is configured to update the graphical user interface 117. In some embodiments, graphical user interface 117 is updated to provide a visual representation of a relationship between the selected graphical user interface item and risk entities associated with all of the identified events. In some embodiments, graphical user interface 117 is updated to provide a visual representation of a relationship between the selected graphical user interface item and risk entities associated with identified events having a confidence level that is greater than the confidence threshold. In some embodiments, the graphical representation provides a visual representation of detected relationships of risk entities that were not discovered in the initial analysis.

The graphical representation is comprised of a second plurality of graphical user interface items. A graphical user interface item may correspond to a risk entity, such as a location, an actor, a model that determined the event to be anomalous, or an object that the actor accessed or attempted to access. The graphical representation may include indications of a measure of anomaly associated with a plurality of events. The measures of anomaly associated with the events are reflected in the risk entities associated with the events. The reflected measure of anomaly may be color-coded. The graphical representation depicts the relationship between the entity corresponding to the selected graphical user interface item and the plurality of entities associated with one or more identified events or an identified group of events that occurred during a specified time frame.

For example, in the event a graphical user interface item corresponding to a location was selected, for each identified event, the graphical representation may be updated to depict the relationship between the location associated with the selected graphical user interface item, an actor associated with an identified event, a model associated with the identified event, and an object that the actor associated with the identified event accessed or attempted to access.

In another example, in the event a graphical user interface item corresponding to an actor was selected, for each identified event, the graphical representation may be updated to depict the relationship between the actor associated with the selected graphical user interface item, a location associated with an identified event, a model associated with the identified event, and an object that the actor associated with the identified event accessed or attempted to access.

In another example, in the event a graphical user interface item corresponding to a model was selected, for each identified event, the graphical representation may be updated to depict the relationship between the model associated with the selected graphical user interface item, a location associated with an identified event, an actor associated with the identified event, and an object that the actor associated with the identified event accessed or attempted to access.

In another example, in the event a graphical user interface item corresponding to an object that an actor accessed or attempted to access was selected, for each identified event, the graphical representation may be updated to depict the relationship between the object associated with the selected graphical user interface item, a location associated with an identified event, an actor associated with the identified event, and a model associated with the identified event.

FIG. 2 is a flow diagram illustrating a process for providing evidence of anomalous behavior in accordance with some embodiments. In the example shown, process 200 may be implemented by an event analysis system, such as event analysis system 112.

At 202, one or more event logs are obtained. The one or more event logs include a plurality of entries. Each entry corresponds to an event. An entry may identify an event type and one or more attributes associated with the event. Examples of event type include a file deletion, a file access, a file creation, a file move, a directory deletion, a directory creation, a directory move, a system login grant, a system login denial, a user being added, a user being deleted, a file being downloaded, a user password change, etc. Examples of event attributes include a timestamp, a sequence number, a user to which the event is associated, an object with which the event is associated, an internet protocol address, a location from which the event occurred, etc.

In some embodiments, an event analysis system remotely accesses an event log stored on a source system.

At 204, the one or more event logs are stored.

At 206, the one or more event logs are analyzed. An event analysis system includes a plurality of models that are configured to detect different types of anomalous behavior. For example, a model may be configured to determine whether an event or a group of events are indicative of an insider attack, a ransomware attack, a brute force attack, wide access (e.g., log in attempts from different locations), a sensitive data leak, a geo fencing breach, or a combination thereof. The entries of the one or more event logs are provided as input to each of the plurality of models.

A model may be a rules-based model, a machine learning model, a deterministic-based model, a heuristic-based model, etc. Based on the one or more event log entries, each of the models is configured to output a corresponding confidence level that indicates whether the one or more events corresponding to the one or more log entries are anomalous. A model may determine that an event is anomalous in the event a confidence level associated with the event is greater than a confidence level threshold. In some embodiments, the confidence level is based on historical events associated with a particular user. In some embodiments, the confidence level is based on historical events associated with a system that provided the event log.

Each event is associated with at least one risk entity, such as location, actor, model that determined the event to be indicative of anomalous behavior, an object that the actor accessed or attempted to access, etc. The relationship between the risk entities associated with an event may be determined in part from an event log entry associated with the event. The relationship between different risk entities associated with different events are determined. For example, the event analysis system determines whether any of the events share risk entities.

At 208, a graphical representation of risk entities associated with one or more detected anomalous events is provided. The graphical representation may be provided for one or more events having a corresponding confidence level greater than a confidence threshold. The graphical representation is comprised of a first plurality of graphical user interface items corresponding to the risk entities associated with at least one of the one or more detected anomalous events.

The graphical representation is a visual representation of automatically detected relationships between the risk entities. For example, a first graphical user interface item corresponding to a location may be linked to a second graphical user interface item corresponding to an actor, which is linked to a third graphical user interface item corresponding to a model that determined the event to be anomalous, which is linked to an object that the actor accessed or attempted to access. In some embodiments, the relationship is depicted for anomalous events that occurred during a particular time frame. In some embodiments, the relationship is depicted for all events that occurred during the particular time frame. The particular time frame may be specified by the client device.

At 210, a selection of a graphical user interface item corresponding to one of the risk entities is received.

At 212, the one or more event logs are re-analyzed based on the selected graphical user interface item. The one or more event logs may include one or more other events associated with the selected user interface item. The one or more event logs may include additional event log(s) that were received since the previous analysis. The event analysis system re-analyzes the one or more event logs to identify the one or more other events, if any, associated with the selected user interface item.

In some embodiments, the event analysis system re-analyzes the one or more event logs for one or more events occurring in the same time frame as the first plurality of graphical user interface items. In some embodiments, the event analysis system re-analyzes the one or more event logs for one or more events that occurred outside the time frame associated with the first plurality of graphical user interface items. In some embodiments, the event analysis system re-analyzes the one or more event logs for one or more events that occurred in the same time frame as the first plurality of graphical user interface items and analyzes the one or more event logs for one or more events that occurred outside the time frame associated with the first plurality of graphical user interface items.

A graphical user interface item corresponding to a location may be selected. In response to the selection, the event analysis system re-analyzes one or more event logs to identify, if any, one or more other events associated with the location. At least one of the one or more identified events associated with the location may have a corresponding confidence level outputted by one or more of the models that is greater than the confidence level threshold.

In another example, a graphical user interface item corresponding to an actor may be selected. In response to the selection, the event analysis system re-analyzes one or more event logs to identify, if any, one or more other events associated with the actor. At least one of the one or more identified events associated with the actor may have a corresponding confidence level outputted by one or more of the models that is greater than the confidence level threshold.

In another example, a graphical user interface item corresponding to a model may be selected. In response to the selection, the event analysis system re-analyzes one or more event logs stored to identify, if any, one or more other events associated with the model. At least one of the one or more identified events associated with the model may have a corresponding confidence level outputted by the model corresponding to the selected graphical user interface item that is greater than the confidence level threshold.

In another example, a graphical user interface item corresponding to an object that the actor accessed or attempted to access may be selected. In response to the selection, the event analysis system re-analyzes one or more event logs to identify, if any, one or more other events associated with the object corresponding to the selected graphical user interface item. At least one of the one or more identified events associated with the object corresponding to the selected graphical user interface item may have a corresponding confidence level outputted by one or more of the models that is greater than the confidence level threshold.

At 214, the graphical representation of risk entities associated with one or more detected anomalous events is updated. The graphical representation is comprised of a second plurality of graphical user interface items. A graphical user interface item may correspond to a risk entity, such as a location, an actor, a model that detected an anomalous event associated with the event or group of events, or an object that the actor accessed or attempted to access. The graphical representation may include indications of a measure of anomaly associated with the events. The measure of anomaly is reflected in risk entities associated with the event, which may be color-coded. The graphical representation depicts the relationship between the entity corresponding to the selected graphical user interface item and the plurality of entities associated with one or more identified events. The relationship may be depicted for all of the one or more identified events. In some embodiments, the relationship is depicted for one or more identified events having a corresponding confidence level greater than a confidence threshold level.

For example, in the event a graphical user interface item corresponding to a location was selected at 210, for each identified event, the graphical representation may be updated to depict the relationship between the location associated with the selected graphical user interface item, an actor associated with an identified event, a model associated with the identified event, and an object that the actor associated with the identified event accessed or attempted to access.

In another example, in the event a graphical user interface item corresponding to an actor was selected at 210, for each identified event, the graphical representation may be updated to depict the relationship between the actor associated with the selected graphical user interface item, a location associated with an identified event, a model associated with the identified event, and an object that the actor associated with the identified event accessed or attempted to access.

In another example, in the event a graphical user interface item corresponding to a model was selected at 210, for each identified event, the graphical representation may be updated to depict the relationship between the model associated with the selected graphical user interface item, a location associated with an identified event, an actor associated with the identified event, and an object that the actor associated with the identified event accessed or attempted to access.

In another example, in the event a graphical user interface item corresponding to an object that an actor accessed or attempted to access was selected at 210, for each identified event, the graphical representation may be updated to depict the relationship between the object associated with the selected graphical user interface item, a location associated with an identified event, the actor associated with the identified event, and a model associated with the identified event.

FIG. 3 is a flow diagram illustrating a process for analyzing an event log in accordance with some embodiments. In the example shown, process 300 may be implemented by an event analysis system, such as event analysis system 112. In some embodiments, process 300 is implemented to perform some or all of step 206 of process 200.

At 302, events included in an event log for a particular time frame are provided as input to a plurality of models. For example, a first event may be provided as input to a first model, provided as input to a second model, . . . , and provided as input to an nth model. A second event may be provided as input to the first model, provided as input to the second model, . . . , and provided as input to an nth model. An nth event may be provided as input to the first model, provided as input to the second model, . . . , and provided as input to the nth model. In some embodiments, the events are provided as input to a subset of the plurality of models.

At 304, it is determined whether any of the events are indicative of anomalous behavior based on a corresponding confidence level outputted by each of the plurality of models. An event may be determined to be anomalous in the event a confidence level outputted by one of the models is greater than a confidence level threshold.

At 306, relationships between risk entities are determined for each of the one or more events determined to have a confidence level greater than a confidence threshold. Examples of risk entities include a location, an actor, a model that detected an anomalous event associated with the event or group of events, or an object that the actor accessed or attempted to access. The relationship may link a location associated with an event to an actor associated with the event, a model that determined the event to be anomalous, and an object associated with the event that was accessed or attempted to be accessed.

At 308, relationships between different risk entities associated with different determined events are determined. The determined relationships may indicate how each of the determined events relate to each other. For example, the event analysis system may determine that a first event and a second event share the same location and actor, but the first event was detected by a first model and a first object was accessed or attempted to be accessed, and the second event was detected by a second model and a second object was accessed or attempted to be accessed.

As a result of determining the relationships at 306 and 308, the graphical representation of the anomalous events may be depicted as a web of interconnected risk entities.

In some embodiments, when a plurality of risk entities of a first type are associated with the same risk entity of a different type, the measure of anomaly for the same risk entity of the different type corresponds to the highest confidence level among the plurality of risk entities of the first type. For example, a plurality of actors may be associated with events provided as input to a model. Each of the events is associated with a corresponding confidence level. The measure of anomaly for the model corresponds to the highest confidence level of the plurality of confidence levels.

FIG. 4 is a flow diagram illustrating a process for analyzing an event log in accordance with some embodiments. In the example shown, process 400 may be implemented by an event analysis system, such as event analysis system 112. In some embodiments, process 400 is implemented to perform some or all of step 212 of process 200.

At 402, one or more event logs are re-analyzed to identify one or more events associated with a selected graphical user interface item. For example, the selected graphical user interface item may correspond to a location. The one or more event logs may be re-analyzed to identify one or more other events that are associated with the location.

In another example, the selected graphical user interface item may correspond to an actor. The one or more event logs may be re-analyzed to identify one or more other events that associated with the actor.

In another example, the selected graphical user interface item may correspond to a model that detected the anomalous behavior. The one or more logs may be re-analyzed to identify one or more other events determined by the model to have a confidence level greater than a confidence level threshold.

In another example, the selected graphical user interface item may correspond to an object that an actor accessed or attempted to accessed. The one or more logs may be re-analyzed to identify one or more other events associated with the object.

At 404, the one or more identified events are provided as input to each of a plurality of models.

At 406, the one or more identified events having a confidence level greater than a confidence threshold are determined. Each of the plurality of models is configured to output a corresponding confidence level for each of the one or more identified events.

At 408, relationships between risk entities are determined for each of the one or more determined events. Examples of risk entities include a location, an actor, a model that determined the event to be anomalous, or an object that the actor accessed or attempted to access.

For example, in the event the selected graphical user interface item corresponds to a location, a relationship between the location and an actor associated with a first determined event (who performed the event), a model associated with the first determined event (which model detected the anomalous behavior), and an object associated with the first determined event is determined (what object did the actor access or attempt to access).

In the event the selected graphical user interface item corresponds to an actor, a relationship between the actor and a location associated with a second determined event (where did the actor perform the event), a model associated with the second determined event (which model detected the anomalous behavior), and an object associated with the second determined event is determined.

In the event the selected graphical user interface item corresponds to a model that determined an event to be anomalous, a relationship between the model and a location associated with a third determined event, an actor associated with the third determined event, and an object associated with the third determined event is determined.

In the event the selected graphical user interface item corresponds to an object that was accessed or attempted to be accessed, a relationship between the object and a location associated with a fourth determined event, an actor associated with the fourth determined event, and a model associated with the fourth determined event is determined.

At 410, relationships between different risk entities associated with different determined events are determined. The determined relationships may indicate how each of the determined events relate to the selected graphical user interface item.

For example, the selected graphical user interface item may correspond to a location. The event analysis system may determine whether any of the determined events share an actor, a model, or an object that was accessed or attempted to be accessed.

In some embodiments, the event analysis system determines that a plurality of actors associated with the same location accessed or attempted to access the same object.

The selected graphical user interface item may correspond to an actor. The event analysis system may determine whether any of the determined events share a location, a model, or an object that was accessed or attempted to be accessed.

The selected graphical user interface item may correspond to a model. The event analysis system may determine whether any of the determined events share a location, a model, or an object that was accessed or attempted to be accessed.

The selected graphical user interface item may correspond to an object that was accessed or attempted to be accessed. The event analysis system may determine whether any of the determined events share a location, an actor, or a model.

As a result of determining the relationships at 408 and 410, the graphical representation of the anomalous events may be depicted as a web of interconnected risk entities.

When a plurality of risk entities of a first type are associated with the same risk entity of a different type, the measure of anomaly for the same risk entity of the different type corresponds to the highest confidence level among the plurality of risk entities of the first type.

FIG. 5 is a flow diagram illustrating a process of training a model in accordance with some embodiments. In the example shown, process 500 may be implemented by an event analysis system, such as event analysis system 112.

At 502, one or more event logs are received. Each event log is comprised of a plurality of entries. Each entry corresponds to an event. Each entry of an event log identifies an event type and one or more attributes associated with the event. Examples of event type include a file deletion, a file access, a file creation, a file move, a directory deletion, a directory creation, a directory move, a system login grant, a system login denial, a user being added, a user being deleted, a file being downloaded, a user password change, change of state, change of status etc. Examples of event attributes include a timestamp, a sequence number, a user to which the event is associated, an object with which the event is associated, an internet protocol address, a location from which the event occurred, etc.

At 504, a machine learning model is trained based on the one or more event logs. The machine learning model is trained to identify a particular type of anomalous behavior. For example, a machine learning model may be trained to determine whether an event or a group of events are indicative of an insider attack, a ransomware attack, a brute force attack, wide access (e.g., log in attempts from different locations), a sensitive data leak, a geo fencing breach, or a combination thereof.

The machine learning model may be a supervised learning machine learning model, a semi-supervised machine learning model, an unsupervised machine learning model, or a reinforcement machine learning model. Examples of machine learning model algorithms include a Naïve Bayes classifier algorithm, K Means clustering algorithm, support vector machine algorithm, linear regression, logistic regression, artificial neural networks, decision trees, random forests, nearest neighbors, etc.

The entries included in the one or more event logs are sorted into training data and validation data. The entries included in the training data are applied to a machine learning model. The model is trained using the training data until it has a prediction accuracy greater than a threshold accuracy.

The entries included in the validation data are applied to a trained machine learning model. In the event the trained machine learning model has a prediction accuracy above the threshold, the trained machine learning model is validated and ready for use with production data (e.g., event logs from primary systems 102 a, 102 n). Otherwise, the machine learning model is retrained and revalidated to produce a more accurate machine learning model.

At 506, a plurality of events included in one or more event logs are applied to the machine learning model. The machine learning model outputs a corresponding confidence level that indicates whether one or more events corresponding to the one or more event log entries are anomalous. A model may determine that an event is anomalous in the event a confidence level associated with the event is greater than a confidence level threshold.

At 508, feedback is received. A graphical user interface that provides a graphical representation of an event determined to be an anomalous event is provided to a client device. A user associated with the client device may provide, via the graphical user interface, feedback regarding a risk entity associated with an anomalous event. For example, the graphical representation may indicate a risk entity is a medium-risk entity. The received feedback (e.g., clicking ignore on the graphical user interface item corresponding to the risk entity) may indicate that the risk entity is a low-risk entity.

At 510, the machine learning model is retrained based on the feedback.

FIGS. 6A-6N are examples of a graphical user interface in accordance with some embodiments. Graphical user interface 600 provides a graphical representation of risk entities associated with four different events occurring within a time frame 624.

A visual representation of a first event depicts the relationship between the risk entities associated with the first event. Graphical user interface item 602 corresponding to a location of “San Francisco, CA” is linked to graphical user interface item 608 corresponding to an “unknown” actor, which is linked to a graphical user interface item 612 corresponding to a model that detected an event to be anomalous, which is linked to a graphical user interface item 618 corresponding to an object accessed or attempted to be accessed by the “unknown” actor.

A visual representation of a second event includes graphical user interface item 604 corresponding to a location of “Pyongyang, North Korea” linked to graphical user interface item 606 corresponding to an actor named “Sen-yun,” which is linked to a graphical user interface item 614 corresponding to a model that detected an event to be anomalous, which is linked to graphical user interface item 616 corresponding to an object accessed or attempted to be accessed by the actor named “Sen-yun.”

A visual representation of a third event includes graphical user interface item 604 corresponding to a location of “Pyongyang, North Korea” linked to graphical user interface item 606 corresponding to an actor named “Sen-yun,” which is linked to graphical user interface item 614 corresponding to a model that detected an event to be anomalous, which is linked to graphical user interface item 622 corresponding to an object accessed or attempted to be accessed by the actor named “Sen-yun.”

A visual representation of a fourth event includes graphical user interface item 607 corresponding to an actor named “Ji-yoo” linked to graphical user interface item 612 corresponding to a model that detected an event to be anomalous, which is linked to graphical user interface item 618 corresponding to an object accessed or attempted to be accessed by the actor named “Ji-yoo.”

Each of the graphical user interface items has a corresponding measure of anomaly. For example, graphical user interface items 604, 606, 614, 622 have a red header. When a plurality of risk entities of a first type are associated with the same risk entity of a different type, the measure of anomaly for the same risk entity of the different type corresponds to the highest confidence level among the plurality of risk entities of the first type. This indicates that the risk entities are high-risk entities. Graphical user interface item 616 has an orange header. This indicates that the risk entity is a medium-risk entity. Graphical user interface items 607, 612, 618 have a green header. This indicates that the risk entities are low-risk entities. Graphical user interface item 602 has a gray header. Graphical user interface item 608 has a blue header. This indicates that the risk entity is neutral.

A user may select any of the graphical user interface items. FIG. 6B illustrates a selection of graphical user interface item 604. For example, a user may provide an input to graphical user interface 605, such as right-clicking on graphical user interface item 604. In response to the input, graphical user interface 605 provides a menu 626 having an option to “show related evidence,” an option to “add to incident report,” and an option to “remove card.”

FIG. 6C illustrates a selection of “show related evidence.” In response to the selection, graphical user interface 605 is updated to be graphical user interface 610. The event analysis system analyzes one or more event logs to identify, if any, related to the location of “Pyongyang.”

Graphical user interface 610 depicts the relationship between a location of “Pyongyang” and the identified events.

A visual representation of a first related event depicts the relationship between the risk entities associated with the first related event. Graphical user interface item 604 corresponding to a location of “Pyongyang” is linked to graphical user interface item 628 corresponding to an actor named “Sen-yoo,” which is linked to a graphical user interface item 632 corresponding to a model that detected an event to be anomalous, which is linked to a graphical user interface item 634 corresponding to an object accessed or attempted to be accessed by the actor named “Sen-yoo.”

A visual representation of a second related event depicts the relationship between the risk entities associated with the second related event. Graphical user interface item 604 corresponding to a location of “Pyongyang” is linked to graphical user interface item 628 corresponding to an actor named “Sen-yoo,” which is linked to a graphical user interface item 632 corresponding to a model that detected an event to be anomalous, which is linked to a graphical user interface item 636 corresponding to an object accessed or attempted to be accessed by the actor named “Sen-yoo.”

A visual representation of a third related event depicts the relationship between the risk entities associated with the third related event. Graphical user interface item 604 corresponding to a location of “Pyongyang” is linked to graphical user interface item 628 corresponding to an actor named “Sen-yoo,” which is linked to a graphical user interface item 632 corresponding to a model that detected an event to be anomalous, which is linked to a graphical user interface item 638 corresponding to an object accessed or attempted to be accessed by the actor named “Sen-yoo.”

Graphical user interface 610 also depicts the relationships between different risk entities associated with different determined events. In the example shown, the first, second, and third related events share the same location, actor, and model that determined the events associated with the actor to be anomalous.

FIG. 6D illustrates a graphical user interface 615 where the risk entities associated with the relevant event are being added to a database of high-risk entities. Risk entities are being marked as evidence of anomalous events. This is illustrated by fingerprint icons 642, 644, 646, 648. These risk entities will remain in the graphical user interface when parameters, such as time frame 624, are changed.

FIG. 6E illustrates user 654 may share graphical user interface 620 via share button 652. In response to receiving a selection of share button 652, as seen in FIG. 6F, an overlay page 656 is depicted in graphical user interface 625. A user may specify contact information (e.g., email address, phone number, etc.) of another user and a description of the evidence board. Overlay page 656 includes a create button 658. In response to receiving a selection of create button 658, a link associated with the evidence board is provided to the contact information provided in overlay page 656. As seen in the graphical user interface 630 of FIG. 6G, the evidence board has been shared with user 662, which may collaborate with user 654.

FIG. 6H depicts graphical user interface 635 having a chat button 664. In response to a selection of chat button 664, as seen in the graphical user interface 640 of FIG. 6I, two or more collaborating users may communicate via chat window 666.

FIG. 6J depicts graphical user interface 645 having a comment button 668. In response to a selection of comment button 668, a user may leave a comment for any of the graphical user interface items. As seen in the graphical user interface 650 of FIG. 6K, a user has made comments 672, 674, 676.

The graphical representation of risk entities associated with a detected anomalous event is reviewed by a user associated with a client device. The user may review the risk entities and determine whether to ignore an anomalous event. Each of the graphical user interface items 602, 604, 606, 607, 608, 612, 614, 616, 618, 622 may be ignored by the user. As seen in the graphical user interface 655 of FIG. 6L, the user is selecting graphical user interface item 678 to ignore graphical user interface item 607. In response to the selection, as seen in the graphical user interface 660 of FIG. 6M, graphical user interface item 607 has been ignored 682 by the user. As seen in FIG. 6N, the user has ignored graphical user interface items 607, 608, 612, 618. Graphical user interface 665 illustrates these graphical user interface items being ignored by changing “Ignore” on the graphical user interface item to be “Ignored.” The “Ignored” text 682, 684, 686, 688 is highlighted in white to indicate that a graphical user interface item has been ignored.

This feedback may be used by the event analysis system to re-train one or more of its models.

FIG. 7A illustrates an example of a graphical user interface in accordance with some embodiments. In the example shown, graphical user interface 700 illustrates a report that summarizes and describes one of the events detected by the event analysis system. The report may include a summary section that includes a description 704 of the event. The report may be automatically generated based on risk entities that are marked as evidence, for example, risk entities 642, 644, 646, 648 as seen in FIG. 6D. Information associated with the risk entities is included in the report. Notes may be added to risk entities 642, 644, 646, 648 and be included in the report.

The report may include sections corresponding to the different risk entities. A section may include a description associated with a risk entity 706, 712, access logs 708, 714 that indicate the event is anomalous, and notes 710 associated with the risk entity.

Graphical user interface 700 includes a schedule button 702. In response to a selection of schedule button 702, as seen in FIG. 7B, an overlay page 752 is provided to the user via graphical user interface 750. The overlay page may enable the user to name the report, schedule the report, add contact information of recipients of the report, and an export format.

The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.

A detailed description of one or more embodiments of the invention is provided along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.

Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive. 

What is claimed is:
 1. A method, comprising: receiving one or more event logs; analyzing the one or more event logs using a plurality of models to detect one or more anomalous events; and providing a graphical representation of risk entities associated with at least one of the one or more detected anomalous events, wherein providing the graphical representation includes: providing in the graphical representation a visual representation of automatically detected relationships between the risk entities associated with the at least one of the one or more detected anomalous events including by providing a first plurality of graphical user interface items corresponding to the risk entities associated with a first detected anomalous event, wherein a first graphical user interface item included in the first plurality of graphical user interface items corresponds to a first risk entity of the risk entities, wherein the first graphical user interface item indicates which model of the plurality of models detected the at least one of the one or more detected anomalous events to be anomalous, wherein the first graphical user interface item is graphically linked to one or more other graphical user interface items of the first plurality of graphical user interface items, wherein the one or more other graphical user interface items correspond to one or more other risk entities of the risk entities associated with the first detected anomalous event; and providing a corresponding indication of a measure of anomaly associated with the at least one of the one or more detected anomalous events for the risk entities associated with the at least one of the one or more detected anomalous events.
 2. The method of claim 1, wherein the plurality of models are configured to detect different types of anomalous behavior.
 3. The method of claim 1, wherein each of the one or more event logs includes a plurality of entries, wherein an entry of the plurality of entries corresponds to an event.
 4. The method of claim 3, wherein for the event, each of the plurality of models outputs a corresponding confidence level that indicates whether the event is anomalous.
 5. The method of claim 4, wherein the event is anomalous if the corresponding confidence level is greater than a confidence level threshold.
 6. The method of claim 4, wherein the corresponding confidence level is based on historical events associated with a particular user.
 7. The method of claim 4, wherein the corresponding confidence level is based on historical events associated with a system that provided the one or more event logs.
 8. The method of claim 1, wherein analyzing the one or more event logs using the plurality of models to detect the one or more anomalous events includes determining relationships between the risk entities associated with the at least one of the one or more detected anomalous events.
 9. The method of claim 1, wherein analyzing the one or more event logs using the plurality of models to detect the one or more anomalous events includes determining relationships between different risk entities associated with different events determined to be anomalous.
 10. The method of claim 1, further comprising receiving a selection of a second risk entity associated with the at least one of the one or more detected anomalous events.
 11. The method of claim 10, further comprising in response to the selection of the second risk entity, re-analyzing the one or more event logs to identify one or more events that are associated with the selected second risk entity.
 12. The method of claim 11, further comprising updating the graphical representation to provide a visual representation of detected relationships between the selected second risk entity and risk entities associated with the one or more identified events.
 13. The method of claim 11, further comprising providing one or more entries corresponding to the one or more identified events as input to the plurality of models.
 14. The method of claim 13, wherein each of the plurality of models is configured to output a corresponding confidence level for each of the one or more identified events.
 15. The method of claim 14, further comprising updating the graphical representation to provide a visual representation of detected relationships between the selected second risk entity and risk entities associated with the one or more identified events for one or more events having the corresponding confidence level greater than a confidence level threshold.
 16. The method of claim 1, further comprising receiving feedback for at least one of the risk entities associated with the at least one of the one or more detected anomalous events.
 17. The method of claim 16, further comprising updating at least one of the plurality of models based on the received feedback.
 18. The method of claim 1, further comprising storing the one or more event logs.
 19. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: receiving one or more event logs; analyzing the one or more event logs using a plurality of models to detect one or more anomalous events; and providing a graphical representation of risk entities associated with at least one of the one or more detected anomalous events, wherein providing the graphical representation includes: providing in the graphical representation a visual representation of automatically detected relationships between the risk entities associated with the at least one of the one or more detected anomalous events including by providing a first plurality of graphical user interface items corresponding to the risk entities associated with a first detected anomalous event, wherein a first graphical user interface item included in the first plurality of graphical user interface items corresponds to a first risk entity of the risk entities, wherein the first graphical user interface item indicates which model of the plurality of models detected the at least one of the one or more detected anomalous events to be anomalous, wherein the first graphical user interface item is graphically linked to one or more other graphical user interface items of the first plurality of graphical user interface items, wherein the one or more other graphical user interface items correspond to one or more other risk entities of the risk entities associated with the first detected anomalous event; and providing a corresponding indication of a measure of anomaly associated with the at least one of the one or more detected anomalous events for the risk entities associated with the at least one of the one or more detected anomalous events.
 20. A system, comprising: one or more processors configured to: receive one or more event logs; analyze the one or more event logs using a plurality of models to detect one or more anomalous events; and provide a graphical representation of risk entities associated with at least one of the one or more detected anomalous events, wherein to provide the graphical representation the one or more processors are configured to: provide in the graphical representation a visual representation of automatically detected relationships between the risk entities associated with the at least one of the one or more detected anomalous events including by providing a first plurality of graphical user interface items corresponding to the risk entities associated with a first detected anomalous event, wherein a first graphical user interface item included in the first plurality of graphical user interface items corresponds to a first risk entity of the risk entities, wherein the first graphical user interface item indicates which model of the plurality of models detected the at least one of the one or more detected anomalous events to be anomalous, wherein the first graphical user interface item is graphically linked to one or more other graphical user interface items of the first plurality of graphical user interface items, wherein the one or more other graphical user interface items correspond to one or more other risk entities of the risk entities associated with the first detected anomalous event; and provide a corresponding indication of a measure of anomaly associated with the at least one of the one or more detected anomalous events for the risk entities associated with the at least one of the one or more detected anomalous events; and a memory coupled to the one or more processors and configured to provide the one or more processors with instructions. 